CVE-2025-32711
M365 Copilot Information Disclosure Vulnerability
Description
Ai command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network.
INFO
Published Date :
June 11, 2025, 2:15 p.m.
Last Modified :
June 17, 2026, 9:12 a.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | |||||
| CVSS 3.1 | CRITICAL | [email protected] | ||||
| CVSS 3.1 | HIGH | [email protected] |
Solution
- Update M365 Copilot to the latest version.
- Apply vendor patches promptly.
- Review access controls and configurations.
Public PoC/Exploit Available at Github
CVE-2025-32711 has a 129 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2025-32711.
| URL | Resource |
|---|---|
| https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-32711 | Vendor Advisory |
| https://www.aim.security/lp/aim-labs-echoleak-m365 |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2025-32711 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2025-32711
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
None
Python PLpgSQL TypeScript HTML
None
JavaScript HTML
Graph based AI policy violation detection automaton
Makefile Python
None
Makefile Python
基于 Rust 开发的高性能命令行邮件工具 mail-cli,专为 AI 代理自动化场景设计,支持 SMTP 发信、IMAP 收信、邮件查询与管理。 轻量高效、低占用、命令简洁,可无缝接入自动化脚本、服务端任务与智能代理流程。
Rust
A small, reproducible harness testing how RAG systems leak data across permission boundaries, and which design actually holds.
access-control evals llm-security rag rbac prompt-injection retrieval-augmented-generation
Python
A living museum of real AI-agent failures that runs as regression tests — pytest for other people's rakes. 86 sourced incidents + 98 red-team probes, 14 deterministic detectors.
ai ai-agents ai-safety evals jailbreak llm llm-security prompt-injection red-team regression-testing
JavaScript
None
CSS JavaScript TypeScript HTML
None
JavaScript CSS
Pre-mortems and postmortems for AI coding agents: 261 tagged real-world incidents + a 12-class agentic-AI failure model, shipped as Claude Code skills.
agent-skills ai-safety claude claude-code devops failure-analysis incident-response llm observability postmortem prompt-injection rca reliability sre
Python
Trust-before-use audit service for AI agent skills. Detects prompt injections, hidden instructions, and context waste in SKILL.md files. Zero-auth API with Ed25519 signed certificates. NANDAHack 2026.
ai-agents ai-safety llm-security nanda nandahack prompt-injection security skill-audit
Dockerfile Python
A curated, opinionated list of resources for securing AI agents, LLMs, and the Model Context Protocol (MCP) — attacks, defenses, tools, labs, and research. All links verified.
agent-security ai-agents ai-safety ai-security awesome awesome-list cybersecurity jailbreak llm llm-security mcp mcp-security owasp prompt-injection red-teaming
MCP 安全扫描器,10/10 OWASP MCP Top 10 全覆盖,零 API 依赖,pip install 即用
Python
AI Agent security testing framework with 160+ attack cases from latest research
agent-security ai-agent attack-framework jailbreaking llm-security owasp pentesting prompt-injection red-team security-testing
Python Batchfile
RAG Engineer interview questions & answers for 2026 — retrieval, embeddings, chunking, re-ranking, eval, production & security. 100 Qs + worked designs. MIT.
ai-engineer-interview awesome-list embeddings interview-prep llm-interview rag rag-engineer rag-interview retrieval-augmented-generation vector-database
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2025-32711 vulnerability anywhere in the article.
-
The Hacker News
New MemGhost Attack Plants Persistent False Memories in AI Agents Through One Email
Give an AI assistant a memory and access to your inbox, and you hand an attacker a way to rewrite what it thinks it knows about you. A single email can trick that agent into saving a false "fact" abou ... Read more
-
The Hacker News
One-Click Microsoft 365 Copilot Flaw Could Have Let Attackers Steal Emails, Files, and MFA Codes
A single click on a trusted Microsoft link could have let an attacker pull emails, calendar details, and indexed files out of Microsoft 365 Copilot Enterprise Search. Researchers at Varonis Threat Lab ... Read more
-
NVISO Labs
Securing AI systems without overconfidence or fear – Part 2: Attack surfaces and the checkpoint flow
Document information Series Securing AI systems without overconfidence or fear Part 2 of 5 Title Attack surfaces and the checkpoint flow Date May 2026 Author Hussein Bahmad (NVISO) Reading time ~13 mi ... Read more
-
TheCyberThrone
The Exploit That Arrived in an Email and Left With Your Data
The Distinction Nobody Makes Clearly EnoughWhen most practitioners hear “prompt injection,” they picture a user typing malicious instructions directly into a chatbot. “Ignore previous instructions. Re ... Read more
-
CybersecurityNews
New One-Click Microsoft Copilot Vulnerability Grants Attackers Undetected Access to Sensitive Data
A novel single-click attack targeting Microsoft Copilot Personal that enables attackers to silently exfiltrate sensitive user data. The vulnerability, now patched, allowed threat actors to hijack sess ... Read more
-
CybersecurityNews
One Year Of Zero-Click Exploits: What 2025 Taught Us About Modern Malware
The year 2025 represents a pivotal moment in cybersecurity, showcasing a remarkable evolution in zero-click exploitation techniques that significantly challenges our understanding of digital security. ... Read more
-
Help Net Security
Cato Networks acquires Aim Security to bring AI protection into SASE Cloud
Cato Networks acquired Aim Security to further enhance the Cato SASE Cloud Platform, supporting secure enterprise adoption of AI agents and both public and private AI applications. Cato has now exceed ... Read more
-
CybersecurityNews
Weekly Cybersecurity News Recap : Apple 0-day, Chrome, Copilot Vulnerabilities and Cyber Attacks
This past week was packed with high-severity disclosures and active exploitation reports across the global threat landscape. At the forefront, Apple rushed out emergency patches for yet another zero-d ... Read more
-
Hackread - Latest Cybersecurity, Hacking News, Tech, AI & Crypto
AgentFlayer 0-click exploit abuses ChatGPT Connectors to Steal 3rd-party app data
AgentFlayer is a critical vulnerability in ChatGPT Connectors. Learn how this zero-click attack uses indirect prompt injection to secretly steal sensitive data from your connected Google Drive, ShareP ... Read more
-
Trend Micro
Preventing Zero-Click AI Threats: Insights from EchoLeak
Key Takeaways EchoLeak is a zero-click AI vulnerability that exploits Copilot’s use of historical contextual data to silently execute hidden prompts without user interaction. The attack method relies ... Read more
-
TheCyberThrone
EchoLeak Vulnerability in Microsoft 365 Copilot
Skip to contentOverviewEchoLeak is a critical zero-click vulnerability found in Microsoft 365 Copilot, revealed in 2025 by AIM Security. The flaw allowed attackers to steal sensitive enterprise data w ... Read more
-
databreaches.net
Copilot AI Bug Could Leak Sensitive Data via Email Prompts
Rashmi Ramesh reports: A well-phrased email was all an attacker would have needed to trick Microsoft Copilot into handing over sensitive data until the operating system giant patched the vulnerability ... Read more
-
Google Online Security Blog
Mitigating prompt injection attacks with a layered defense strategy
With the rapid adoption of generative AI, a new wave of threats is emerging across the industry with the aim of manipulating the AI systems themselves. One such emerging attack vector is indirect prom ... Read more
-
SentinelOne
More From Our Main Blog: The Good, the Bad and the Ugly in Cybersecurity – Week 24
The Good | Operation Secure Dismantles Global Infostealer Infrastructure in Multi-Nation Crackdown An international law enforcement initiative dubbed “Operation Secure” delivered a significant blow to ... Read more
-
Dark Reading
Researchers Detail Zero-Click Copilot Exploit 'EchoLeak'
Source: Adrian Vidal via Alamy Stock PhotoA critical vulnerability could have enabled attackers to unleash prompt injection attacks against Copilot users, though Microsoft ultimately addressed the iss ... Read more
-
The Hacker News
Zero-Click AI Vulnerability Exposes Microsoft 365 Copilot Data Without User Interaction
A novel attack technique named EchoLeak has been characterized as a "zero-click" artificial intelligence (AI) vulnerability that allows bad actors to exfiltrate sensitive data from Microsoft 365 Copil ... Read more
-
BleepingComputer
Zero-click AI data leak flaw uncovered in Microsoft 365 Copilot
A new attack dubbed 'EchoLeak' is the first known zero-click AI vulnerability that enables attackers to exfiltrate sensitive data from Microsoft 365 Copilot from a user's context without interaction. ... Read more
The following table lists the changes that have been made to the
CVE-2025-32711 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
CVE Modified by [email protected]
Jun. 17, 2026
Action Type Old Value New Value Added Affected [{'vendor': 'Microsoft', 'product': 'Microsoft 365 Copilot', 'versions': [{'status': 'affected', 'version': '-'}]}] -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Jun. 17, 2026
Action Type Old Value New Value Added SSVC {'id': 'CVE-2025-32711', 'role': 'CISA Coordinator', 'options': [{'exploitation': 'none'}, {'automatable': 'yes'}, {'technicalImpact': 'total'}], 'version': '2.0.3', 'timestamp': '2025-06-14T03:56:23.238014Z'} -
CVE Modified by [email protected]
Feb. 20, 2026
Action Type Old Value New Value Added CWE CWE-74 Removed CWE CWE-77 -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Aug. 04, 2025
Action Type Old Value New Value Added Reference https://www.aim.security/lp/aim-labs-echoleak-m365 -
Initial Analysis by [email protected]
Jul. 10, 2025
Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Added CPE Configuration OR *cpe:2.3:a:microsoft:365_copilot:-:*:*:*:*:*:*:* Added Reference Type Microsoft Corporation: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-32711 Types: Vendor Advisory -
New CVE Received by [email protected]
Jun. 11, 2025
Action Type Old Value New Value Added Tag exclusively-hosted-service Added Description Ai command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network. Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N Added CWE CWE-77 Added Reference https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-32711